Update pki-core to 10.6.7-1 and update its corresponding deps:

  • nuxwdog to 1.0.5-2
  • dogtag-pki to 10.6.7-1

rebuilt adding aarch64 back as esc is now available for aarch64

This update has been submitted for testing by dmoluguw.

2 years ago

This update has obsoleted pki-core-10.6.6-2.fc28, and has inherited its bugs and notes.

2 years ago

This update has been pushed to testing.

2 years ago
User Icon adamwill commented & provided feedback 2 years ago
karma

This seems to have broken FreeIPA. Error:

Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed:
org.codehaus.jackson.map.JsonMappingException: Can not instantiate value of type [simple type, class com.netscape.certsrv.system.ConfigurationRequest] from JSON String; no single-String constructor/factory method

Please check the CA logs in /var/log/pki/pki-tomcat/ca.

Errors in the pki-tomcat debug log:

2018-10-09 17:26:38 [https-jsse-nio-8443-exec-7] ERROR: RESTEASY002005: Failed executing POST /installer/configure
org.jboss.resteasy.spi.ReaderException: org.codehaus.jackson.map.JsonMappingException: Can not instantiate value of type [simple type, class com.netscape.certsrv.system.ConfigurationRequest] from JSON String; no single-String constructor/factory method
    at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:184)
    at org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:91)
    at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:114)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
    at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)
Caused by: org.codehaus.jackson.map.JsonMappingException: Can not instantiate value of type [simple type, class com.netscape.certsrv.system.ConfigurationRequest] from JSON String; no single-String constructor/factory method
    at org.codehaus.jackson.map.deser.std.StdValueInstantiator._createFromStringFallbacks(StdValueInstantiator.java:379)
    at org.codehaus.jackson.map.deser.std.StdValueInstantiator.createFromString(StdValueInstantiator.java:268)
    at org.codehaus.jackson.map.deser.BeanDeserializer.deserializeFromString(BeanDeserializer.java:765)
    at org.codehaus.jackson.map.deser.BeanDeserializer.deserialize(BeanDeserializer.java:585)
    at org.codehaus.jackson.map.ObjectMapper._readValue(ObjectMapper.java:2704)
    at org.codehaus.jackson.map.ObjectMapper.readValue(ObjectMapper.java:1315)
    at org.codehaus.jackson.jaxrs.JacksonJsonProvider.readFrom(JacksonJsonProvider.java:419)
    at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:61)
    at org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:60)
    at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53)
    at org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59)
    at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55)
    at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151)
    ... 62 more

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

2 years ago

Can you provide us more info: - Which version of FreeIPA does this update break? - Can we get more access to the logs?

Here is the full log tarball - you can always find it on the 'Logs & Assets' tab for openQA tests (unless it's an old test and it's been garbage-collected). The version of FreeIPA in current F28 stable, that was used in the test, is 4.7.0-3.fc28 .

For the record, we looked into this and we believe the problem is that this update is missing tomcatjss 7.3.6. That got put into its own update, when it should have been part of this one. The new pki bits apparently require the new tomcatjss. The corresponding F29 update does include tomcatjss, and that passed testing.

@dmoluguw is going to do a tomcatjss 7.3.6-2 build and edit it into this update, overriding the separate tomcatjss 7.3.6-1 update. At that point the tests will automatically re-run and hopefully will pass.

As per our discussion, tomcatjss 7.3.6-1 will be hitting stable within a day. So, we will be rerunning the ipa tests once it gets pushes to stable.

Reason: To keep the tomcatjss' release number in sync with Fedora releases.

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

2 years ago

@adamwill, can you rerun the FreeIPA test since tomcatjss-7.3.6-1.fc28 is now available in stable?

User Icon cheimes commented & provided feedback 2 years ago
karma

pki-core 10.6.7 causes some FreeIPA CI jobs to fail.

http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/810bd274-d84b-11e8-8b76-fa163e2ec43b/

CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmplvg21m1f'] returned non-zero exit status 1: "pkispawn : ERROR ....... certutil: Missing '-h token' option!\n")

spawn log

2018-10-25 11:56:31 nssdb         : INFO     Creating NSS database
2018-10-25 11:56:31 pkispawn      : INFO     ....... generating '/etc/pki/pki-tomcat/password.conf'
2018-10-25 11:56:31 pkispawn      : INFO     ....... generating '/etc/pki/pki-tomcat/pfile'
2018-10-25 11:56:31 pkispawn      : INFO     ....... modifying '/etc/pki/pki-tomcat/password.conf'
2018-10-25 11:56:31 pkispawn      : DEBUG    ........... chmod 660 /etc/pki/pki-tomcat/password.conf
2018-10-25 11:56:31 pkispawn      : DEBUG    ........... chown 17:17 /etc/pki/pki-tomcat/password.conf
2018-10-25 11:56:31 pkispawn      : INFO     ....... executing 'certutil -N -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile'
2018-10-25 11:56:31 pkispawn      : ERROR    ....... certutil:  Missing '-h token' option!
2018-10-25 11:56:31 pkispawn      : DEBUG    ....... Error Type: Exception
2018-10-25 11:56:31 pkispawn      : DEBUG    ....... Error Message: certutil:  Missing '-h token' option!
2018-10-25 11:56:31 pkispawn      : DEBUG    .......   File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 534, in main

Commit https://github.com/dogtagpki/pki/commit/17677ae4d2cda456b64ec67e2b25ba63f4a58a70 removed the token check from generate_self_signed_certificate but not from verify_certificate_exists.

User Icon abbra commented & provided feedback 2 years ago
karma

Indeed, failing IPA in a stable Fedora release should not be allowed.

This update has been obsoleted.

2 years ago

For the record, the openQA tests do now pass. Sorry for the delay. I re-ran them a week or so ago but they ran into an unrelated test issue; I fixed that and re-ran them last night and now they passed. Obviously whatever the CI is catching isn't encountered in the openQA tests for some reason...


Please login to add feedback.

Metadata
Type
enhancement
Karma
-3
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
2 years ago
in testing
2 years ago

Automated Test Results